CVE-2026-43076
Analyzed Analyzed - Analysis Complete
Integer Overflow in OCFS2 Filesystem

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43076
EUVD
EUVD-2026-27563
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.24
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 2.6.24.1 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ocfs2 filesystem. When reading an inode from disk, the function ocfs2_validate_inode_block() performs sanity checks but fails to validate the size of inline data (i_size). If the filesystem is corrupted, the inode's i_size can be larger than the actual inline data capacity (id_count).

As a result, ocfs2_dir_foreach_blk_id() can iterate beyond the inline data buffer, causing a use-after-free (UAF) error when accessing directory entries from freed memory. This means the system may access invalid memory, potentially leading to crashes or other unpredictable behavior.

The fix involves adding a validation check to ensure that inodes with inline data have i_size less than or equal to id_count, preventing the corruption from propagating.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the ocfs2 filesystem code, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the invalid memory access.

Since the issue arises from corrupted filesystem data, it could also lead to data corruption or loss if exploited or triggered unintentionally.

Mitigation Strategies

The vulnerability is fixed by adding a validation check in the Linux kernel's ocfs2_validate_inode_block() function to ensure that inodes with inline data have their i_size less than or equal to the inline data capacity (id_count).

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Detection Guidance

This vulnerability involves a use-after-free triggered by corrupted inline data size in ocfs2 filesystem inodes. Detection would require checking for inconsistencies between the inode's i_size and the actual inline data capacity (id_count) on ocfs2 filesystems.

Since the issue arises from corrupted filesystem metadata, detection commands would focus on filesystem integrity checks and inspecting inode sizes on ocfs2 volumes.

  • Use the 'fsck.ocfs2' tool to check and repair ocfs2 filesystem inconsistencies.
  • Manually inspect inode sizes and inline data capacity by using debugfs or similar tools if available for ocfs2, although ocfs2-specific debug tools are limited.
  • Monitor system logs for kernel warnings or errors related to ocfs2 inode reads or directory entry processing, which may indicate exploitation attempts or corruption.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart